Zombie Processes: How To Hunt, Kill and Remove a Zombie Process on Linux
By Lee Li
In the world of Linux, a zombie process refers to any process that is essentially removed from the system as ‘defunct’, but still somehow resides in the processor’s memory as a ‘zombie’.
Also sometimes referred to as a process in a ‘terminated state,’ a Zombie process is usually cleaned from the memory system through a parent process. But when the parent process isn’t notified of the change, the child process (zombie) doesn’t get the signal to leave the memory.
In this article, we will provide an in-depth guide about zombie processes that can accumulate in your system. We’ll discuss how to spot them, kill them, and the disadvantages of accumulated zombie processes.
What is a Zombie process?
To understand how zombie processes work, it is essential to know how processes work on Linux. Every-time a process is removed from a Linux system, it informs its parent process about its execution. And until it has notified its parent, it stays in the process descriptor’s memory. This means that a dead process isn’t immediately removed and continues to hog the system’s memory, hence becoming a zombie.
You will notice this when it becomes marked as EXIT_ZOMBIE, signaling the parent process with a SIGCHLD signal — meaning that the child process has died. The parent process then calls the wait() system that informs it of the zombie process’s exit information. Once the wait() is called into play, the zombie process is now completely removed from the descriptor’s memory.
These functions usually happen very quickly, so there is no time for zombie processes to accumulate on your system. However, for a zombie process to be removed entirely from the system, the parent process must be appropriately programmed to call on wait(). If you’re unsure how to identify zombie processes in your system, conduct a routine zombie test using predetermined patterns and methods.
The complexity of using modern era software has made it critical to execute software testing to find tricky bugs in your applications. The best way to accomplish this is to have your applications continuously scanned while they are running. According to DevSecOps analysts at Cloud Defense, the most efficient way to accomplish this is to utilize a “unified platform that can identify security gaps and present the vulnerabilities categorized by risk calculated based on multiple factors.”
How do you get rid of Zombie processes?
Bear in mind that zombie processes are already dead. This means that you cannot kill a zombie function with the same command (SIGKILL signal) to kill normal processes. Since zombie processes are generally inactive, you might think they are harmless and will not do much harm to your system. However, an accumulation of zombie processes in large numbers might prove troublesome for your system as it can make your server slow.
This so happens because although zombies do not use up your system’s precious resources like a rogue app does, it can pose a significant threat by retaining all PIDs (Process IDs). Since a Linux system has a finite amount of PIDs, when numerous PIDs are zombied, no other process can easily be launched. Furthermore, if a zombie process is not executed correctly, your website’s server cPanel could stop, leading to website downtime.
The steps necessary to clean up an accumulation of zombie processes can be difficult and complicated.
Below are two scenarios that can simplify this process and help you to remove a zombie process:
If the parent process is still active
The zombie process exists while the parent process is still active and stuck on a particular task somewhere in the system, and hasn’t received the execution signal.
In such cases, there are two things you can do:
Use the strace command on the parent process to debug and troubleshoot the issue. A strace command stores all system calls and signals made by a process.
Additionally, you can also kill the zombie process by sending the SIGCHLD signal to the parent process to make the parent process exit cleanly with its zombie process. If you choose this option, it is preferred to use the ‘kill’ command in tandem with the default signal -15 (SIGTERM) instead of using a -9 (SIGKILL) signal.
If the parent process is no longer active
However, oftentimes the parent process is ‘inactive’. It may be possible that the process isn’t programmed correctly, which may cause it to ignore the SIGCHLD signals.
In such a case, it makes sense for you to remove the parent process so that a new parent (an init process) is issued to the zombie processes.
An init process — short for initialization — is the first process that is issued when a system reboots. An init process will then periodically execute the regular protocol: giving the wait() system call to clean up its zombie children.
One thing to remember is that if a parent process is inactive, you cannot remove the zombie process without rebooting your system. So if you only have a few zombie processes and they aren’t multiplying, you can deal with them at the next system reboot. However, zombie processes may be quick to accumulate, usually a signal that there might be an issue with your system.
If a parent process continues to create zombies, repair them straight away. This is important so the parents can properly call wait() to do away with its zombie children. File a bug report if a program on your system keeps creating zombies.
Testing for Zombie processes
Before you can figure out how to kill a Zombie process, the real question is to identify and spot it in the first place. In Linux, there are several different commands you can use to execute processes or kick start an application. So it is essential to know the right command for identifying zombie processes in your system.
Fortunately, this can easily be found using a PS command. There is a STAT column within a PS command that will show the current status of all system processes. The status of a zombie process will display a ‘z’ in front of it. Additionally, if you can’t find a z, zombie processes sometimes also have the words in their CMD column.
When thinking about cyber-attacks, most malicious attackers will first think about attacking vulnerabilities and improper remains of dead or defunct processes. Trojans, worms, and zombie processes all make desirable sites for cyber-attacks.
And even though a single zombie process by itself isn’t harmful, a collection can give way to a zombie network that can be used in DDoS attacks with botnets.
Hopefully this guide can serve as a starting point for you to understand, spot, and kill these defunct processes to ensure a safe and secure experience with Linux.
As we have seen, zombie processes can indicate an operating system bug, which won’t pose a problem if there are fewer zombie processes. However, that may cause your website server to go down and create issues if not dealt with on time.